We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

An outline of key factors to be considered by regulated firms when contemplating using banking solutions provided by third-party technology providers was published by the Financial Conduct Authority (FCA) this month. Although the FCA's guidance refers to off-the-shelf technology banking solutions, it is equally applicable to firms which are active in other areas, such as asset management.

Technology is now an integral part of most services, particularly in the financial services industry, and there exists a great wealth of potential operating options. As a result, regulated firms regularly outsource technology and IT operations to providers which have expertise in this area rather than developing technology internally.

Where third-party services are critical to the operations of a regulated firm's business, the service provider is considered an "outsource service provider" (OSP) and there are additional regulatory obligations with which the regulated firm must comply. In particular, the regulated firm must be able to demonstrate that it complies with the threshold conditions outlined in Condition 2.4 (Appropriate Resources) and Condition 2.5 (Suitability) as well as SYSC 8.1 (Outsourcing) of the FCA Handbook.

The FCA has highlighted a number of questions for firms to consider under each of the following areas:

Reasons for deciding to outsource critical technology services;

The process of selecting the OSP;

Oversight and governance of the OSP;

Operational issues;

Service protection; and

Data protection.

By taking these matters into consideration, and undertaking preparation on this basis, the FCA believes that regulated firms will be supported by "effective, resilient and secure" IT services which are appropriate for the purposes of each firm's activities. Additionally, regulated firms are expected to have appropriate arrangements in place for consistent oversight of any OSPs and associated risks.

Regardless of the third-party services which are used, regulated firms should remember that they remain fully accountable for all regulatory responsibilities.